How plugin security works

When enabled, Liferay Portal’s Plugin Security Manager checks a Portal Access Control List that’s deployed with the plugin. This list describes what APIs the plugin accesses, so that you can review what it does without having to look at the source code. If the plugin tries to access anything that’s not on this list, the plugin’s request is stopped dead in its tracks, throwing exceptions to let you know what went wrong.

Access to APIs is authorized by means of the property values specified in the plugin’s liferay-plugin-package.properties file. This file must be specified in your plugin’s WEB-INF directory. These security manager properties are collectively known as the plugin’s Portal Access Control List (PACL).

As you develop plugins for Liferay Marketplace or for distribution within your organization, you’ll need to set the security manager properties appropriately. Before we dive into the intricacies of these properties, let’s consider a plugin development approach that involves designing an app for the security manager from the ground up.